A blog about the art of cyber-jutsu: information security as a martial art.

Monday, January 25, 2010

Sharing with the TaoSecurity Blog

I recently posted a comment which I'd like my readers and students to take a look at on Richard Bejtlich's TaoSecurity Blog.

You will find several of Richard's books on our reading list. He is, in my opinion, a thought leader in the field of Information Security. This is especially true of his ideas concerning Network Security Monitoring (NSM).

I encourage you all to take a look at the whole threaded conversation, but below is a copy and paste of my comment:

Richard,

I'm not sure I'm really following you on this one. Are you suggesting that the 'point in time' doesn't matter?

I can agree that we are facing 'on-going' campaigns of cyber-threats in many arenas, and that we need to plan with the big picture in mind. But even in a physical campaign of war; while we must have high level strategy that leads battlefield level tactics, we must win the individual 'point in time' conflicts (at least the key ones) in order to win the war. Wouldn't you agree?

How does IT Security, or if you will allow the term cyber-warfare, differ? I have spent quite a bit of time converting Sun Tzu's The Art of War into IT Security wisdom. To me - his warfare consulting applies in cyberspace as well as physical terrain.

While Sun Tzu does advocate that the war is won or lost in the planning stage, before the enemy is even physically engaged; in the end, the best planning won't amount to a hill of beans if the boys in the trenches can't overcome their foes. That is IMHO the Zen aspect of IT Security - you have to be 'in the moment'.

From a Sun Tzu point of view, I believe that the lesson of his which most American companies that I've worked with are failing to heed is the "Know the Enemy, Know yourself." And of those two suggestions - it is actually the "know yourself" which is hurting the most. I could probably go on at the length of a book on that one... so I'll quit here ;)

Support the Cyber-Dojo

About Me

I am a current and active Certified Information Systems Security Professional (CISSP), and have received a certificate for the SANS GIAC Reverse Engineering Malware (GREM) training.
As a high-school student in the mid 1980's, I was sysop and co-sysop of several Bulletin Board Systems (BBS) run on both IBM computers as well as Atari systems.
While in the USAF in the late 1980's, I was stationed at Yokota AFB, Japan for over 2 years. I was a tech-controller, and a volunteer for the Air Base Aggressor Team, which performed penetration tests against both the permanent station and deployed field units.
I furthered my education at Middlesex County College, in New Jersey, and the Rochester Institute of Technology (RIT).
For the past ten+ years, I have acted in an Information Security Consulting capacity for such large corporations as Xerox, and GE, as well as numerous large hospitals and small businesses across these United States.
I am an active freelance writer and Information Security Consultant.
I own and operate CyberCede Corporation. You can find out more about CyberCede at http://www.cybercede.com